CVE-2025-13109 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress. The vulnerability exists in all versions up to and including 1.3.7.2. It arises because the plugin's functions woof_add_query and woof_remove_query fail to properly validate a user-controlled key parameter. This lack of validation allows authenticated users with subscriber-level privileges or higher to manipulate saved search queries in other users' profiles, including those of administrators. Specifically, attackers can insert or remove arbitrary saved search queries, potentially altering the behavior of the plugin or the user experience without authorization. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication. The CVSS v3.1 score is 4.3 (medium), reflecting low impact on confidentiality and availability but a partial impact on integrity. No known public exploits or patches are currently available, indicating the need for proactive mitigation. The flaw represents an insecure direct object reference (IDOR) scenario where access control checks are insufficient or missing for sensitive operations on user data within the plugin.

For European organizations, this vulnerability primarily threatens the integrity of user data within WooCommerce stores using the affected plugin. Attackers with low-level authenticated access (subscriber or above) can manipulate saved search queries in other users' profiles, including administrators, potentially disrupting administrative workflows or causing confusion. While it does not directly expose sensitive data or cause denial of service, unauthorized data modification can undermine trust and operational stability. E-commerce sites relying on this plugin may face risks of subtle sabotage or manipulation of user settings, which could indirectly affect customer experience or administrative efficiency. The vulnerability could also be leveraged as a stepping stone for further attacks if combined with other flaws. Given WooCommerce's popularity in Europe, especially in countries with large e-commerce markets, the impact could be significant if exploited at scale.

To mitigate this vulnerability, organizations should immediately audit and restrict access controls within the HUSKY – Products Filter Professional plugin, ensuring that all user-controlled keys are properly validated against the authenticated user's permissions. Specifically, developers or site administrators should implement strict authorization checks in the woof_add_query and woof_remove_query functions to confirm that the user is permitted to modify the targeted saved search queries. Until an official patch is released, consider disabling or removing the plugin if it is not critical to business operations. Additionally, monitor user activity logs for unusual modifications to saved queries, especially those affecting administrator accounts. Employ the principle of least privilege by limiting subscriber-level access where possible. Regularly update WordPress and all plugins to the latest versions once patches become available. Finally, consider implementing web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting these functions.